[ZendTo] Re: Antwort: Re: Zendto is vulnerable for SQL-Injection

Jules Jules at Zend.To
Mon May 23 09:52:54 BST 2011 


On 22/05/2011 15:09, patrick.gaikowski at kaufland.com wrote:
>
> Hi,
>
> we engaged a company for penetration testing of web applications and 
> thats why i tried to be prepared....
>
> I used the tool "burp suite" which is a http/https proxy for 
> intercepting web requests / responses.
>
>     * i made a dropoff request without username / password --> only
>       ReCaptcha
>
Definitely a bug, now fixed. Well done!
>
>    *
>
>
>     * i intercepted the POST to dropoff.php
>
>
> /(See attached file: dropoff)/
Great, XML, my favourite. :-)
>
>     * in the tool you can send the POST to the repeating module and
>       modify the POST
>     * i was able the send the upload a various times --> the limit
>       will be the free space on the host system -->can be used for
>       blow up the system and perhaps crash the system
>
If you don't complete the upload, then you will be able to do that. Once 
the upload has finished, the auth code should be removed (and now is! 
:-) (unless you're a logged in user, at which point we can hunt you down 
anyway).
I'm not particularly worried about attacks by logged in users. They can 
just repeat the entire upload process as many times as they like anyway, 
uploading either the same files or different files each time.
>
>    *
>
>
>     * i was able to change for example the email-address of the
>       recipient (only the domain defined in preferences.php) in the
>       POST--> can be used for SPAM if the email domain is not
>       configured correctly
>
Agreed. You can indeed change the email address of the recipient in the 
upload. But then again you can just make your automated hacking system 
slightly more clever and do multiple uploads to anyone you like in the 
the preferences.php configured domain. So I am not worried about that 
either.
>
> Is it possible to limit the lifetime of the auth-Parameterto only one 
> request?
Well spotted, yes that is a bug. Fixed. That should take care of the 
multiple uploads exploits you found above too.

Many thanks for finding these for me, it is much appreciated!

Cheers,

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/892be51d/attachment.html

More information about the ZendTo mailing list